The government can demand that a public telecommunications
service intercepts an individual's communications
The act's "interception warrants" can be served for purposes of "national
security", "preventing or detecting serious crime" or "safeguarding the economic
well-being of the UK". These (undefined) terms are so vague as to be applicable
to just about anyone.
For example, the communications of businessmen negotiating deals with
foreign companies could easily fall under "safeguarding of the economic
well-being of the UK" within the plain English meaning of the term.
The definition of public telecommunications services is broad and could
apply to internet services providers, phone companies, or even someone running
a web site.
When an ISP is served with an interception warrant, it has to comply and
it may not reveal this fact to anyone ever. Thus you wouldn't even know
that the government was doing this to you.
See sections 1 to 5 (which define unlawful and authorised
interceptions) and 6 to 11 (which define interception warrants and associated
powers and duties). Take note of the definition of "public telecommunications
service" in section 2, and the legal requirements on people served with
an interception warrant in section 11.
The Home Secretary can serve interception
warrants to perform mass surveillance
Whilst the interception warrants normally have to specify the communications
of an individual or set of premises to intercept, under certain circumstances
the home secretary can order that the "external communications" of a telecommunications
service be intercepted (e.g. all the internet traffic flowing through a
particular ISP's machines) if he deems it necessary for purposes of national
security, preventing/detecting serious crime or safe guarding the UK's economic
well being.
The exceptions allowed here could be used to perform mass surveillance
of internet traffic (or phone calls) and again allow such use on vague grounds
that would allow the Home Secretary to use it in just about any circumstances.
See sections 8(4) to 8(6) which specify that an interception
warrant should specify the communications data of an individual or a set
of premises to be monitored, but then allows an exception for the above
stated grounds.
The government can require ISPs to fit equipment
that enables them to do perform surveillance
The government will however contribute to the costs of doing so.
Apart from the hassle this will cause to ISPs this could allow the government
to require ISPs to install "back doors" into their systems for the purposes
of monitoring. Furthermore there is no requirement that the design of such
equipment be public, and given the tone of the act and the secretive nature
of the government organisations likely to use this (GCHQ, MI5) it is likely
such designs would remain secret.
The affected ISPs' security could be seriously compromised since it is
possible not only that corrupt government officials could abuse such powers,
but that such systems would be vulnerable to attacks from hackers who find
out about the back doors.
The history of computer network security demonstrates that such back doors
are serious vulnerabilities and that the best way to remain maximally secure
is for one's security system to be publicly open to expert evaluation. This
requirement serious undermines that and will damage the development of the
trust and security required for e-commerce.
See sections 12 to 14 (on interception capability and
costs).
The government can demand that decryption
keys be handed over in order to access protected information,
where the person concerned has or has had the keys and does not have the information.
It is an offence not to hand over such a key on pain of 2 years imprisonment.
You are deemed to have possessed the key if you possessed it at any time
before the disclosure notice was served, unless you can show you did not
have it after the time the notice was served and before the time you were
required to disclose it. You are taken to show that you did not possess
it at the relevant time if you can adduce sufficient evidence to raise an
issue with respect to this matter and the contrary is not proved beyond
reasonable doubt.
Note that if you ever had the key you will have to produce evidence you
no longer have it, i.e. provide evidence for a negative. Also, if the notice
requiring disclosure demands secrecy it is an offence to let anyone know
that you've been asked to hand over the key(s) in question on pain of 5
years imprisonment.
The legal requirements here undermine the use of public key systems, such
as PGP, to protect information that is communicated between people. Whilst
it is possible to set things up to minimise this impact and even circumvent
these powers, this simply imposes costs on ordinary users who wish to keep
their communications secret for any reason (criminals can circumvent these
powers anyway!), and also puts people who use PGP at risk of having to disclose
their private keys (thus compromising the security of all the info sent
to them) or going to prison for destroying, forgetting or losing a key.
See sections 49 to 56 which define the powers and offences
related to this issue. See also Schedule 2.
